added new DC and transferred FSMO roles

Posted on 2014-09-15
Medium Priority
Last Modified: 2014-10-07
I recently added a new DC.  Once added and verified that DNS replicated I transferred the FSMO roles.  I did this so I could migrate the old DC to new hardware.  I'm getting the below error.

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          9/14/2014 3:57:10 AM
Event ID:      2092
Task Category: Replication
Level:         Warning
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      myDCname.domain.local

This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
FSMO Role: CN=Schema,CN=Configuration,DC=mydomain,DC=local
Question by:gopher_49
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
LVL 29

Expert Comment

ID: 40323470
Follow the instructions here to SEIZE the schema role and then run a netdom query to validate:
netdom query FSMO

Once you have the roles moved and you validate AD replication is as expected, I suggest you demote the old DC and do a metadata cleanup.
LVL 18

Expert Comment

by:Emmanuel Adebayo
ID: 40323480
How did you transfer the roles? Did you size the role after transfer?

At the command prompt on the server enter
netdom query FSMO
This will list the FSMO roles on the server, size the the missing role(s) by using "Ntdsutil"

Also, check this MS KB http://support.microsoft.com/kb/2102154


Author Comment

ID: 40323494
I want to keep the old DC.  I just needed to migrate the VM to different hardware and it was my only DC.  So.  I added a new DC and then transferred the roles.  I then powered off the old DC and migrated that VM and powered it back on.

When running the fsmo query it shows my new dc to have the roles.  I did not seize  the schema role prior to running the command.
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

LVL 35

Expert Comment

by:Seth Simmons
ID: 40323585
When running the fsmo query it shows my new dc to have the roles.

which one did you run that on?  run on both and see if the results on both are accurate

Author Comment

ID: 40323754
Okay.  Ill run it on both and will report back shortly.

Author Comment

ID: 40325739
I ran the command on both DC's and the results where the same.  It was successful and shows the new DC to be the role holder for all roles.  The error posted at the top of the post was from a few days ago.  Nothing has changed except for online defrags finishing successfully.
LVL 35

Accepted Solution

Seth Simmons earned 2000 total points
ID: 40332604
if that error hasn't appeared since, i would say it was a transient error from when the fsmo roles were transferred and you won't be seeing it again since there have been no other messages and dcdiag is good on both systems since

often times when roles change, services are restarted, etc. transient messages like that will appear once in the beginning then go away

Author Comment

ID: 40332660
okay..  I'll watch the event logs over the next few days to assure it's okay and will update everyone.
LVL 29

Expert Comment

ID: 40332683
This has been seen in some instances where replication had not caught up. It might have just been the case here, since it has nit repeated since.

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question